[owasp-intrinsic-security] Fwd: Saved Passwords and Clickjacking

Jim Manico jim.manico at aspectsecurity.com
Sun Nov 2 20:42:11 EST 2008


For what it's worth, the current best practice in the banking industry
is to use a tiny chunk of Java or Flash to render the login form to
circumvent browser side credential caching. 

 

-          Jim

 

From: owasp-intrinsic-security-bounces at lists.owasp.org
[mailto:owasp-intrinsic-security-bounces at lists.owasp.org] On Behalf Of
Giorgio Maone
Sent: Thursday, October 30, 2008 12:30 PM
To: owasp-intrinsic-security at lists.owasp.org
Subject: [owasp-intrinsic-security] Fwd: Saved Passwords and
Clickjacking

 

 

---------- Forwarded message ----------
From: Giorgio Maone <giorgio.maone at gmail.com>
Date: Thu, Oct 30, 2008 at 5:29 PM
Subject: Re: [owasp-intrinsic-security] Saved Passwords and Clickjacking
To: Bil Corry <bil at corry.biz>


The best solution IMHO is replacing auto-fill with a chrome-level UI
element to both fill and submit the form in a single gesture, like
Opera's Wand (ctrl+Enter) button.

 

On Thu, Oct 30, 2008 at 4:56 PM, Bil Corry <bil at corry.biz> wrote:

Arshan Dabirsiaghi wrote on 10/30/2008 9:08 AM:

> I have not heard much on prevention of this type of danger except in
the form of "don't let FF save your passwords!!"

>From the website's perspective, not allowing the browser to save the
username and password is an option.  I've see some sites that do allow
the user to opt-in to have the site remember their username, so it will
pre-populate the username, and the user still has to enter their
password.



> I would guess a simple protection might be to not pre-populate form
fields in an <iframe>. For further insurance of not breaking existing
apps, you could say the browser can pre-populate if the <iframe> is from
the same domain.

I think that is the cleanest solution, you'll have to let us know what
other ideas come out of the EU Summit.



- Bil


_______________________________________________
owasp-intrinsic-security mailing list
owasp-intrinsic-security at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-intrinsic-security

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-intrinsic-security/attachments/20081102/22bf3ba4/attachment.html 


More information about the owasp-intrinsic-security mailing list